Hao, Feng, Metere, Roberto, Shahandashti, Siamak F. and Dong, Changyu (2018) Analyzing and patching SPEKE in ISO/IEC. IEEE Transactions on Information Forensics and Security, 13 (11). pp. 2844-2855. doi:10.1109/TIFS.2018.2832984

Preview

PDF WRAP-analyzing-patching-SPEKE-Hao-2018.pdf - Accepted Version - Requires a PDF viewer. Download (988Kb) | Preview

Request Changes to record.

Abstract

Simple password exponential key exchange (SPEKE) is a well-known password authenticated key exchange protocol that has been used in Blackberry phones for secure messaging and Entrust's TruePass end-to-end web products. It has also been included into international standards such as ISO/IEC 11770-4 and IEEE P1363.2. In this paper, we analyze the SPEKE protocol as specified in the ISO/IEC and IEEE standards. We identify that the protocol is vulnerable to two new attacks: an impersonation attack that allows an attacker to impersonate a user without knowing the password by launching two parallel sessions with the victim, and a key-malleability attack that allows a man-in-the-middle to manipulate the session key without being detected by the end users. Both attacks have been acknowledged by the technical committee of ISO/IEC SC 27 and ISO/IEC 11770-4 revised as a result. We propose a patched SPEKE called P-SPEKE and present a formal analysis in the Applied Pi Calculus using ProVerif to show that the proposed patch prevents both attacks. The proposed patch has been included into the latest revision of ISO/IEC 11770-4 published in 2017.

Item Type:	Journal Article
Subjects:	Q Science > QA Mathematics > QA76 Electronic computers. Computer science. Computer software
Divisions:	Faculty of Science > Computer Science
Library of Congress Subject Headings (LCSH):	Computers -- Access control -- Passwords, Institute of electrical and electronics engineers -- Standards, International Standardizing Organization
Journal or Publication Title:	IEEE Transactions on Information Forensics and Security
Publisher:	IEEE
ISSN:	1556-6013
Official Date:	November 2018
Dates:	Date Event November 2018 Published 3 May 2018 Available 10 April 2018 Accepted
Date of first compliant deposit:	5 December 2018
Volume:	13
Number:	11
Page Range:	pp. 2844-2855
DOI:	10.1109/TIFS.2018.2832984
Status:	Peer Reviewed
Publication Status:	Published
Publisher Statement:	© 2018 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Access rights to Published version:	Restricted or Subscription Access
RIOXX Funder/Project Grant:	Project/Grant ID RIOXX Funder Name Funder ID 306994 European Research Council http://viaf.org/viaf/130022607 EP/M013561/2 [EPSRC] Engineering and Physical Sciences Research Council http://dx.doi.org/10.13039/501100000266
Related URLs:	Other Repository

Request changes or add full text files to a record

Repository staff actions (login required)

View Item

Downloads